Healthcare.gov doesn’t protect personal information of Obamacare applicants

As members of Congress grilled the secretary of the United States Health and Human Services department Wednesday morning in Washington, the agency’s Healthcare.gov site was being blamed for more issues than ever.

HHS Secretary Kathleen Sebelius had a rough morning on Wednesday answering to lawmakers during a Capitol Hill hearing, and her agency’s ongoing blunder — the Healthcare.gov site — even went offline again momentarily during the meeting.

Seriously unfortunate live split screen. pic.twitter.com/1OIsPE7gR9

— Zach Wolf (@zbyronwolf) October 30, 2013

But while serious glitches and significant downtime have dominated articles about the online marketplace for so-called Obamacare as of late, privacy problems abound as well. Security expert Ben Simo has discovered a number of problematic vulnerabilities with the website for President Barack Obama’s Affordable Care Act in recent days, and the issues could have compromised the personal information of potentially millions of Americans.

“There are so many obvious security flaws that I doubt they took security seriously,” Simo, the former president of the Association for Software Testing, wrote on his blog this Tuesday.

Last week, Simo suggested that even an unskilled attacker could access usernames, password reset codes, email addresses and security questions pertaining to the accounts of anyone who signed up for the president’s health insurance plan since the website went live on October 1. Should a hacker guess someone’s username, he said, they could then use that information to social engineer oneself into another’s account.

“Although what I've learned is something any competent web security professional (malicious or ethical) can find within an hour, I do not want to enable (or give the impression of enabling) others to attack the site,” he wrote.

“This level of security is unacceptable,” Simo said at the time. “I am now of the opinion that no one should trust Healthcare.gov with any information.The externally visible lack of security is appalling and suggests incompetence on the part of those who built it.”

Simo discovered the vulnerability earlier this month, and his attempts to report the issue with the online operator at the Department of Health and Human Services were futile, he told reporters with TIME Magazine last week.

“After a half hour of delay, Simo was told his complaints would be forwarded the Federal Trade Commission, an agency that typically investigates consumer complaints, who would contact law enforcement as necessary,” TIME’s Michael Scherer reported last Thursday.

That Friday, Simo detailed the vulnerability on his blog, and that same day TIME took up the issue with both the White House and HHS Dept. The Obama administration, however, could not confirm that the issue was handled until the following Monday.

By Sunday, however, Simo had already discovered yet another issue.

“I have read some reports that we need not be overly concerned about Healthcare.gov security because the site doesn't keep much personal information,” Simo acknowledged. On the contrary, however, an audit of the code used to transfer information to third-party analytics and advertising companies nevertheless moves user names and password reset codes unencrypted to outside agencies.

“Not only does this violate Healthcare.gov's stated privacy policy, it likely also violates the privacy policies of these 3rd parties,” Simo wrote. “Even if the 3rd parties receiving the data can be trusted to not abuse the data, they may not protect it as personally identifiable information should be protected -- especially if they are not expecting to receive personal information.”

Additionally, Simo found that Healthcare.gov’s system could be storing more information on users than even Obamacare applicants assumed. Simo noted that when logging onto the site, “it returns a whole bunch of information I previously provided that is not needed for the purpose of logging into the system,” including a field for the applicant’s Social Security number, if supplied. This information is encrypted, Simo noted, but could still be compromised nonetheless. Even then, other vulnerabilities appeared to be unpatched.

@apblake Only issue confirmed by HHS as fixed is returning the password reset codes to the browser. http://t.co/uUpFhoBBN8

— Ben Simo (@QualityFrog) October 30, 2013

Chris Soghoian, the principal technologist for the American Civil Liberties Union, chimed in over Twitter that the Federal Trade Commission punished both Facebook and Myspace in the past over similar leaks of personal information to third-party companies.

The FTC punished both Facebook & MySpace for the same kind of 3rd party referrer leak flaw as http://t.co/ABKCyk6swxhttp://t.co/91ggeYkilJ

— Christopher Soghoian (@csoghoian) October 30, 2013

Last year, both social media companies proimised the FTC that they’d develop comprehensive privacy programs to settle allegations that it violated their own policies by leaking personal info to third-parties. In Myspace’s case, they told the FTC they’d also allow for security audits to occur regularly for another 20 years.

Also this Tuesday, the Associated Press reported that an internal government memo indicated that Healthcare.gov posted a “high” security risk because a contractor wasn’t able to test the site properly. The only testing conducted "exposed a level of uncertainty that can be deemed as a high risk," the memo said, though the site was rolled out regardless. According to the memo, an audit of the site wasn’t going to occur until two-to-three months after the October 1 launch.